The Unintended Consequence of Your EHR

A secret agent slips into an office under the cover of night. Evading cleaning crews and the impressive security precautions, she identifies her target.  She cleverly hides her trap, then slips out the way she came. No one is the wiser until she triggers the trap later that week.

The stuff of Hollywood? No, the world of healthcare cyber espionage. The world that destroyed Iranian centrifuges with a piece of software surreptitiously slipped onto their network. The world where a seemingly innocuous email, or clinical photograph shared between colleagues, or even an email about an upcoming Continuing Medical Education event could harbor a tiny bit of code that will burrow its way into your electronic health record.

That is right – the electronic health record you are required to have leaves you open to cyber predators.  An article in Politico makes me ask "Aren’t you glad we have modernized?"  Today hospitals and medical practices loom as ripe targets for the same measures that governments use against each other, and that hackers use for their own enrichment.  And here is the scary bit of the equation – is your security as good as that of the Defense Department? The State Department? A major defense think tank?

I am just going to hazard a guess that the answer is no.

Cyber-attacks on medical facilities are increasing in frequency, and are ever more audacious.  The anonymity of the internet makes it possible for an attack to go unnoticed until the attacker wants it known. Often, records are mined for data, which can be sold on the black market. Believe it or not, health records often are sold on the dark net for more than are simple social security numbers. This is but one means of income for these offenders.

Even more audacious, and perhaps more devastating, are those attacks that threaten medical record systems through the use of ransom ware. Hackers shut down a medical record system, then the real payday comes for them.  “Pay us a certain amount of untraceable bitcoins by a certain date or we will erase your medical record. ALL OF THEM.” 

But you have backups. “I can just restore my backup, and the ransom ware will be gone, right?” Well, that might work, but chances are you don't have a back up from last year. Or the year before. And even of you did, you are losing years of data. The folks who use ransom ware are patient. They may wait months or years to trigger the code that will hold your previous records hostage. So that backup from last week? Infected. Last month? The same. Last year? Maybe.

This dark world is treacherous. There is no quick fix. And what is frustrating for so many is that we are forced by regulation into the very arena where we are most susceptible. EHRs are here to stay. And let us not forget all of the gadgets at work in our hospitals that are potential vulnerable to an attack.

The list of medical cyber susceptibilities does not begin nor does it end with electronic medical records. Ventilators, IV medication pumps, radiology equipment, and even implantable devices are all vulnerable to a cyber-attack. Ransoming a record could be devastating, but once in control of these other devices, the nefarious could ratchet up the stakes – “pay up or we kill someone…”

So how do we address this challenge? Some hospitals have already been attacked, and some admit paying the demanded ransom.  Of course, there may be little to protect against the hackers from taking a second bite at the apple, locking down the system ad demanding more money. We as a community are just not sure.

It is certain that the authorities and various regulators, from the DOJ to HHS, as well as segments of the cyber security industry are working to address the issue.  In an ironic twist, some have recognized that a good old-fashioned paper copy of their records is the best insurance they have.

Small practices should not stand idly by thinking this is a problem of scale. No one is too little. Indeed, the smaller the practice, arguably the more susceptible they are to an attack.

If you have an electronic health record, even if part of a closed system, you are vulnerable. 

Here you can read the HHS fact sheet regarding Ransomware. I suggest you download this and review its contents on a regular basis. 

Contact the Spiers Group to discuss measures you can take to protect yourself – or recover from an attack.